CONSTRUCTING ELLIPTIC CURVES OF PRIME ORDER 



Reinier Broker, Peter Stevenhagen 

Abstract. We present a very efficient algorithm to construct an elliptic curve E and 
a finite field F such that the order of the point group E(F) is a given prime number N. 
Heuristically, this algorithm only takes polynomial time 0((log N) 3 ), and it is so fast 
that it may profitably be used to tackle the related problem of finding elliptic curves 
with point groups of prime order of prescribed size. 

We also discuss the impact of the use of high level modular functions to reduce the 
run time by large constant factors and show that recent gonality bounds for modular 
curves imply limits on the time reduction that can be obtained. 



1. Introduction 

For almost twenty years, the discrete logarithm problem in the group of points on 
an elliptic curve over a finite field has been used as the basis of elliptic curve cryp- 
tography. Partly because of this application, the mathematically natural question 
of how to generate elliptic curves over finite fields with a given number of points 
has attracted considerable attention [16, 15, 2, 5]. More in particular [22, 14], one is 
led to the question of how to efficiently generate 'cryptographic' elliptic curves for 
which the order of the point group is a prime number. For elliptic curves of prime 
order N, the discrete logarithm problem is currently supposed to be intractable for 
N > 10 60 . 

Section 2 deals with the problem of constructing a finite field F and an elliptic 
curve E/F having a prescribed prime number iV of F-rational points. We show 
that, on prime input N, such an elliptic curve can be constructed efficiently, in 
heuristic polynomial time 0((logiV) 3 ), using traditional complex multiplication 
(CM) methods. Here the O-notation indicates that factors that are of logarithmic 
order in the main term have been disregarded. Note that 0(X) for X —>■ oo is 
slightly more restrictive than 0(X 1+e ) for all e > 0. The finite field F over which 
E is constructed will be of prime order p for some p sufficiently close to N. The 
algorithm takes less time than algorithms that prove the primality of the input N. 
However, if the given input is known to be prime, the output E/F p is guaranteed to 
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be an elliptic curve over a prime field F p having exactly A points over F p . Because 
of its efficiency, the range of our method amply exceeds the range of prime values 
in current cryptographic use. 

In Section 3, we discuss the related problem of constructing an elliptic curve that 
has a point group of prime order of prescribed size. Unlike the earlier problem, this 
may be tackled efficiently by 'naive' methods that generate curves using trial and 
error and exploit the efficiency of point counting on elliptic curves. We describe 
the 'traditional CM-algorithm' that constructs, on input of an integer k G Z>3, an 
elliptic curve with prime order of k decimal digits, and show that the run time of 
this algorithm is 0(k 4+e ) for every s > 0. It becomes 0(k 4 ) if we are content with 
probable primes instead of proven primes. As a consequence, we deduce that the 
fastest way to tackle the problem in this Section is to first fix a (probable) prime 
N of k digits and then apply our CM-algorithm from Section 2 for that A. 

From a practical point of view, CM-methods are hampered by the enormous 
size of the auxiliary class polynomials entering the construction, and since the 
time of Weber [25], extensive use has been made of 'small' modular functions to 
perform CM-constructions. We discuss the practical improvements of this nature 
in Section 4, and show how recent results on the gonality of modular curves imply 
upper bounds on the gain that can result from such methods. 

A final section contains numerical illustrations of the methods discussed. 

2. An efficient CM-construction 

We start with the fundamental problem of realizing a prime number A > 3 as 
the group order of an elliptic curve E defined over some finite field F q . By Hasse's 
theorem, the order of the point group E(F q ) is an element of the Hasse interval 

H q = [q+1- 2y/q, q + l + 2^\ 

around q + 1. The relation A e H q is actually symmetric in A and q, as we have 
A e H q •<=>- q E Hn- Consequently, a necessary condition for the existence of 
a curve with A points is that the Hasse interval Hn contains a prime power q. 
As the set of integers A for which Hn contains a non-prime prime power q is 
a zero density subset of Z>o, we may and will restrict to elliptic curves defined 
over prime fields F q = F p . If p is a prime number in Hn, then an elliptic curve 
E/F p with #E(F P ) = A always exists. It follows from p = A e Hn that elliptic 
curves of prime order A exist for every prime A, but our algorithm will typically 
construct curves over prime fields different from Fjv- This is certainly desirable from 
a cryptographic point of view, as curves of order A over Fn are cryptographically 
unsafe: the discrete logarithm problem on them can be transformed [20] into a 
discrete logarithm problem for the additive group of F^ that is easily solved. 

Let p be any prime in Hn, and write A = p + 1 — t. Then we have t ^ 0, as 
the primes p and A > 3 are not consecutive numbers. It is well known that a curve 
E/Fp has A points over F p if and only if the Frobenius morphism F p : E — > E 
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satisfies the quadratic equation 

F 2 -tF p +p = 

in the endomorphism ring End(P). This means that the subring Z[P p ] C End(P) 
generated by Frobenius is isomorphic to the imaginary quadratic order Oa of dis- 
criminant A = t 2 — 4p < 0, with F p corresponding to the element (t + V~K)/2 G Oa 
of trace t and norm p. As t is nonzero, the curve is ordinary. Conversely, if the 
endomorphism ring End(P) of an ordinary elliptic curve E/F p contains an element 
F of degree p and trace F + F = t, and therefore a subring isomorphic to Oa, then 
one of the twists of E over F p has N points. Thus, constructing an elliptic curve 
having N points over F p is the same problem as constructing an ordinary elliptic 
curve over F p for which the endomorphism ring is isomorphic to some quadratic 
order containing Oa ■ 

Over the complex numbers, the j-invariants of curves with endomorphism ring 
isomorphic to Oa are the roots of the Hilbert class polynomial 



Pa= J] (X-j(T Q ))eZ[X\. 

[Q]6Pic(C» A ) 



Here j : H — > C is the classical modular function on the complex upper half plane 
H with Fourier expansion j(z) = 1/q + 744 + . . . in q = exp(27rzz), and the points 
tq = £ H correspond in the standard way to the ideal classes 

[Q] = [Z • a + Z • ~ 6 + ^ ] G Pic((9 A ). 

The polynomial Pa has integer coefficients, so it can be computed by approximating 
the roots j(tq) G C with sufficient accuracy. Alternatively, one can use p-adic 
algorithms [7, 4, 5] to compute Pa- 

The polynomial Pa splits completely modulo p, and its roots in F p are the j- 
invariants of the elliptic curves E/F p with endomorphism ring isomorphic to Oa- 
If jo 7^ 0, 1728 G F p is one of these roots, then the elliptic curve 



(2.1) E : Y 2 = X 3 + aX - a with a = A ^ n J . , G F p 



27jo 
4(1728 -jo) 



has j-invariant jo- If we have N ■ P = for our prime number N and P = (1,1) G 
E(F P ), then E(F P ) has order N. Otherwise the quadratic twist E' : Y 2 = X s + 
g 2 aX — g 3 a with g G F* a non-square has points over F p . In the special cases 
jo = 0, 1728 there are a few more twists to consider. 

As we only need End(P) to contain an order isomorphic to Oa, we can replace 
A in the argument above by the field discriminant D = disc(Q(v / A)). For most t, 
the discriminant A = A(p) = t 2 — Ap is of roughly the same size as p and N . 
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Moreover, the associated field discriminant D, which is essentially the squarefree 
part of A, will be of the same size as A itself for most A. As computing the Hilbert 
class polynomial Pd G ZpT], which has degree h(D) pa y/\D\ and coefficients of size 
0(y/\D\), takes time at least linear in D, the CM-algorithm will have exponential 
run time O(N) for 'most' choices of primes p G H-n- 

There is however a way to select primes p eH-n for which the field discriminant 
D = D(p) = disc(Q(y / A(p))) is only of polynomial size in logiV. What we want is 
a discriminant D such that the order Od contains an element 7r of prime normp for 
which we have N = p + 1 — Trace(7r) = Norm(l — tt). Exploiting the symmetry in p 
and N and writing a = 1— tt, we can also say equivalently that we want an order Od 
containing an element a of norm N with the property that p = N + 1 — Trace(a) = 
Norm(l — a) is prime. Note that if n e Od has prime norm p > 2, then a = 1 — n 
will have even norm in case the residue class field of the primes over 2 in is the 
field of 2 elements. For prime values N > 5, or more generally for odd N > 5, this 
means that we can only use discriminants D congruent to 5 modulo 8. 

In principle, one can find the smallest D for which Od contains an element a of 
norm N such that Norm(l — a) is prime. To do so, one splits the prime iV in the 
imaginary quadratic orders Od with (^) = 1 as (N) = aa for descending values of 
D = —3, — 11, — 19, . . . congruent to 5 mod 8 until we find a value of D such that 
a = olOd is principal with generator a and iV + 1 ± Trace(a) = Norm(l ± a) is 
prime. Now assume the standard heuristical arguments that the prime a C Od 
over iV will be principal with 'probability' l/h(D) and that Norm(l ± a) ~ N will 
be prime with 'probability' 1/ log AT. Then it is shown in [6, Theorem 4.1] that the 
expected value of the smallest suitable discriminant D found in this way will be 

D = d((logN) 2 ). 

Moreover, as the principality of the ideal a C Od lying over iV can be tested effiently 
using the 1908 algorithm of Cornacchia [23], we can expect to find this D in time 
0((logiV) 4 + e ). 

Cornacchia's algorithm explicitly computes the positive integers x, y that satisfy 

x 2 - Dy 2 = AN 

in case such integers exist. For D < —4, such x, y are uniquely determined by N. If 
found, the element a = (x + \^D)/2 £ Od has norm N, and we hope that one of the 
elements Norm(l ±a)=A^ + l±xis prime. Cornacchia's algorithm consists of the 
computation of a square root xq mod N of D mod N followed by what is basically 
the Euclidean algorithm for x and N. It takes probabilistic time (3((logiV) 2 ) for 
each D. Performing Cornacchia's algorithm for D = — 3, — 11, . . . up to a bound 
of size (logiV) 2 takes time (9((logiV) 4 ), and this dominates the run time of the 
algorithm. We will lower the heuristic run time to 0((logiV) 3 ) by applying an idea 
attributed to J. Shallit in [18] to speed up the algorithm. 
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We start from the observation that N splits into principal primes in O fl if and 
only if N splits completely in the Hilbert class field Hp of Q(y/~D). If this is the 
case, then N also splits completely in the genus field Go Q Ho, which is obtained 
by adjoining the square roots of p* = ( — l)( p ~ 1 ^ 2 p to Q(v^D) for all odd prime 
divisors p | D. We have (*jL) = (y) = 1 for all odd primes dividing D, and we 
can save time if we do not try increasing values of D until we hit the smallest 
suitable D, but rather construct a suitable discriminant D from a generating set of 
'good' primes p for which we know that p* is a square modulo N. If we only consider 
primes p of size O (log N), the time needed to compute the values t/p* mod N for 
these primes is 0((logiV) 3 ). 

Our algorithm consists of multiple 'search rounds' for a suitable discriminant D, 
where in each round we increase the size of the 'basis' of primes we use. First 
we take the primes between and logiV and see whether we can find a suitable 
D = 5 mod 8 with \D\ < (log N) 2 a product of primes from this basis. If no such D 
exists, we add the 'good' primes between log A and 2 log A to our basis, and look 
for a suitable D with \D\ < (2 log A) 2 created from this enlarged basis, and so on. In 
this way, we encounter in the r-th round all discriminants D with \D\ < (rlogiV) 2 
that are products of prime factors below rlogiV. Asymptotically (cf. the 'analytic 
tidbit' in [19]), this is a positive fraction 1 — log 2 ks 0.30685 of all discriminants 
below (rlog A) 2 . As the smoothness properties of D play no role in our heuristics, 
we still expect to find a suitable discriminant of size (3((log A) 2 ). Thus, we expect 
the algorithm below to terminate after a number of rounds that is polynomial in 
log log A. In practice (cf. Section 5), this number is usually 1. 

2.2. Algorithm. 

Input: a prime number A. 

Output: a prime number p and an elliptic curve E/F p with #E(F p ) = A. 

1. Put r <— 0, and create an empty table S. 

2. Compute for all odd primes p G [rlog A, (r + 1) log A] that satisfy (^) = 1 a 
square root ^Jjf mod A, and add the pairs (p*, \/pF mod N) to the table S. 

3. For each product (D,\^D mod N) = (YliPi > Yli y^pf m od N) of distinct ele- 
ments of S that satisfies YliPi < ( r log A^) 2 and D = 5 mod 8, do the following. 
3a. Use the value \fD mod N and Cornacchia's algorithm to compute x, y > 

satisfying x 2 — Dy 2 = AN. 
3b. For each solution found in step 3a, test whether p = A + l±xisa probable 
prime. If it is, compute the Hilbert class polynomial Pjy G Z[A], compute 
a root jo of Po G F p [X], return the twist of the elliptic curve (2.1) that 
has N points, and stop. If no root or no twist is found, then p = N + 1 ± x 
is not prime and we continue with the next solution. 

4. Put r <— r + 1 and go back to step 2. 

A heuristic analysis of the Algorithm above leads to the following. 

2.3. Theorem. On input of a prime N , Algorithm 2.2 returns a prime p and an 
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elliptic curve E/F p with #E(F p ) = N. Under heuristic assumptions, its run time 
is 0((logiV) 3 ). 

Proof. As the smoothness properties of D are irrelevant in the heuristic analysis 
detailed in [6], the smallest suitable D found by our Algorithm, which restricts 
to the positive density subset of discriminants, will be of size 0((\ogN) 2 ). The 
expected number r of rounds of our Algorithm will therefore be small, at most 
polynomial in log log N, and in view of our O-notation we may prove our Theorem 
by focusing on the time needed for a single round of the Algorithm, which consists 
of Steps 2 and 3. 

In Step 2 we have to find primes up to (r + 1) log N. As we only need to test 
primality of integers of size O (log AT), the time needed to find these primes is negli- 
gible. For all the 0(log N) primes we find, we need to test which primes are 'good', 
i.e., which primes satisfy (^) = 1. The time needed for this computation is also neg- 
ligible. The bottleneck in Step 2 is the computation of the square roots of p* mod N 
for the good primes p. Each square root computation takes time 0((\ogN) 2 ), so 
Step 2 takes time 0((logA^) 3 ). 

For each of the 0((logN) 2 ) products (D, \J15 mod N) formed in Step 3, we run 
the Euclidean algorithm part of Cornacchia's algorithm in Step 3a in time 0(log N). 
This takes time 0((logN) s ). We expect to find 0(logN) solutions (x,y) from Step 
3a for which we have to test primality of N + l±x in Step 3b. A cheap Miller-Rabin 
test, which takes time 0((log A 7 ") 2 ), suffices for our purposes, and leads to a total 
time 0((logN) s ) spent on primality testing. 

Once we encounter a probable prime p = N + 1 ± x for some discriminant D, 
we compute the Hilbert class polynomial Pp- As D is of size 0((r log A 7 ") 2 ), this 
takes time 0((logN) 2 ). Computing a root jo of Pd, a polynomial of degree h(D) = 
O(logAT), modulo the prime p ~ N once more takes time 0({logN) 3 ). To test 
which curve of j-invariant jo has N points, we may have to compute all isomorphism 
classes over F p of elliptic curves with j-invariant jo until we find one. There are at 
most 6 of these classes ('twists'), and for the class of E we need to test the equality 
A" ■ P = for a point P on E. This only takes time 0((log A 7 ") 2 ), and we conclude 
that the entire round of the algorithm runs in time 0((logN) 3 ). 

Even though we have only found a probable prime p in the beginning of Step 3b, 
the equality N ■ P = on E tested in this Step exhibits a point of order N on E, 
which proves that p is actually prime. □ 

The low asymptotic running time of our Algorithm is illustrated by the size of some 
of the examples in Section 5. As several steps in the algorithm are no faster than 
0((\ogN) 3 ) : it seems that we have obtained an optimal result for a CM-solution 
to our problem. 

3. Point groups of given prime size 
Closely related to the problem of constructing an elliptic curve of prescribed prime 
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order N is the problem of constructing a curve for which the group order is a prime 
in a given interval. For concreteness sake, we take the interval as [10 fc_1 , 10 fc ), so 
the problem becomes the efficient construction of an elliptic curve over a finite field 
such that the group order is a prime of exactly k decimal digits. 

If we insist on a curve with proven prime order, we cannot hope for an algorithm 
with a faster run time than 0(/c 4 ), since the fastest known algorithm [3] to rigorously 
prove primality of an integer N ps 10 k has expected run time 0((log A) 4+e ) = 
0(k A+£ ) for all e > 0. The naive algorithm of selecting a prime p of k decimal digits 
and trying random elliptic curves over F p until we find one of prime order already 
has a heuristic run time that comes close to this 'optimal run time'. Indeed, counting 
the number of points of an elliptic curve E/F p takes heuristic time 0((logp) 4 ) using 
the improvements made by Atkin and Elkies to Schoof's original point counting 
algorithm [23] . Even though the distribution of group orders of elliptic curves over 
F p over the Hasse interval is not exactly uniform, it follows as in [17, Section 1] 
that, heuristically, we have to try O(logp) curves over F p until we find one of prime 
order. This leads to a heuristic run time 0(k 5 ). 

As was noted by many people [8, 14], we can also use complex multiplication 
techniques to tackle the problem. Unlike our Algorithm 2.2, which starts with a 
desired prime value N for the group order and computes a suitable prime field F p 
over which the curve can be constructed, these algorithms compute primes p split- 
ting into principal primes it and 7f in some fixed quadratic ring Od, and construct a 
curve over F p having CM by Od and N points when N = Norm(l — n) is found to be 
prime. As before, we can test whether a given prime p splits into principal primes in 
Od by computing a value of \/~D mod p for (^) = 1 and applying Cornacchia's algo- 
rithm. In case Od has class number 1, i.e., for D = —3, —11, —19, —43, —67, —163, 
we can see whether p splits in Od by only looking at p mod D. 

Subject to the congruence condition D = 5 mod 8, we can take any fundamental 
discriminant. The run time depends on the value of D we choose, the value D = — 3 
being 'optimal'. For cryptographic purposes we need to select D such that the class 
number of Od is at least 200, cf. Section 5. 

3.1. Algorithm. 

Input: an integer k G Z>3, and a negative discriminant D = 5 mod 8. 

Output: primes p,qofk decimal digits and an elliptic curve E/¥ p with CM by Od 

and #£(F p ) = q. 

1. Compute P D eZ[X}. 

2. Pick a random probable prime p that splits into principal primes in Od and 
satisfies 

10 fc_1 + 2 • 10^ < p < 10 k - 2 • 101 

3. Write p = tvk e Od- If Q = Norm(l — en) is a probable prime for some e G 0* D , 
prove the primality of q, compute a root j G F p of Pd G F p [A] and return an 
elliptic curve E/F p with j-invariant j with q points. Else, go to Step 2. 
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A heuristic analysis of the Algorithm above leads to the following. 

3.2. Theorem. On input of an integer k e Z>3 and a negative discriminant D = 
5 mod 8, Algorithm 3.1 returns primes p,q of k decimal digits each and an elliptic 
curve E/Fp with CM by Od and #E(F P ) = q. Under heuristic assumptions, the 
run time for fixed D is 0(k 4+e ) for every e > 0. 

Proof. To prove that the output of Algorithm 3.1 is correct, we only need to check 
that the norms q found in Step 2 have k decimal digits. This follows from Hasse's 
theorem q e TL P and the choice of our interval for p. 

In Step 1 we have to find a prime p of k decimal digits that splits into principal 
primes in Od- Finding a probable prime p of k digits takes time 0(k 3 ), and with 
positive probability (2h(D))~ 1 such a prime p splits into principal primes in Od- 
For each p found we can test this in time 0(k 2 ) by computing a value \fD mod p 
in case it exists, and use it to apply the Euclidean algorithm part of Cornacchia's 
algorithm. 

If p factors as p = tvW in Od, the 'probability' that Norm(l — en) is prime is 
about 1/k. We expect that we need to perform Step 2 roughly k times, and except 
for the primality proof of q this takes us time 0(k ). 

A rigorous primality proof of q in Step 3 takes time 0(k 4+s ) for every e > 0. 
Just as in Theorem 2.3, this also proves the primality of p. □ 

The proof shows that if we only insist that p, q are probable primes of k digits, the 
run time becomes 0(/c 4 ). This is slower than Algorithm 2.2. The fastest way of 
constructing a curve for which the group order is a probable prime of k digits is 
therefore to find a random probable prime N of k digits and then run Algorithm 
2.2 on this input. Indeed, finding a probable prime N takes time (9(/c 3 ), and so does 
the application of Algorithm 2.2 on N. 

4. Class invariants and gonality 

In large examples, the practical performance of Algorithm 2.2 is hampered by the 
computation of a Hilbert class polynomial Pd in Step 3b. As we noted already, the 
run time 0(|.D|) needed for computing Pd cannot be seriously improved, as the 
degree h(D) of Pd is of order of magnitude ^\D\ by the Brauer-Siegel theorem, 
and the number of digits of its coefficients has a similar order of magnitude a/|-D|. 
However, already for the moderately small values of D used by our algorithm, the 
coefficients of Pd are notoriously large. 

It was discovered by Weber [25] that one can often work with 'smaller' modular 
functions than the j-function to generate the Hilbert class field Hd of Q(v A D)- 
There are many of these functions, and each of them works for some positive 
proportion of discriminants. A good example is provided by the Weber function 
f = C4sV(^2^)/v( z ): which is related to j by an irreducible polynomial relation 

*(f,j) = (f 24 -16) 3 -jf 24 = 
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of degree 72 in f and degree 1 in j. It can be used for all D = 1 mod 8 coprime to 3. 
For D = —71, the value f(r) for an appropriate generator r of O-n = Z[r] has the 
irreducible polynomial 

P f _ n = X 7 + X 6 - X 5 - X 4 - X s + X 2 + 2X + 1 G Z[X] 

that requires less precision to compute from its complex zeroes than it does to 
compute the Hilbert class polynomial 

P_ 7 i = X 7 + 313645809715 X 6 - 3091990138604570 X 5 

+ 98394038810047812049302 X 4 - 823534263439730779968091389 X 3 
+ 5138800366453976780323726329446 X 2 
- 425319473946139603274605151187659 X 
+ 737707086760731113357714241006081263 

coming from the j-function. The polynomials P-71 and P_n have the same type 
of splitting behavior modulo primes as they generate the same field H-71 over 
Q(V— 71). Moreover, the zeroes modulo p of P_ 71 readily give the zeroes of P-71 
modulo p by the formula j = f- 24 (f 24 — 16) 3 . A significant speed up in the practical 
performance of CM-algorithms can be obtained by using functions such as f instead 
of j. 

In cases where the value /(r) of a modular function / at some r G Q(v^D) 
generates the Hilbert class field Hp over Q(vT>), we call f{r) a class invariant. 
Class invariants have been well studied, and it is now a rather mechanical process 
[24, 12] to check for which D class invariants can be obtained from a given modular 
function /, and, in case /(r) is a class invariant for Q(y/~D), to find its Galois 
conjugates and to compute its minimal polynomial P^ D over Q. 

If / yields class invariants, the logarithmic height of the zeroes of P S D will 
asymptotically, for D — > —00, differ from those of Pd = P J D by some constant 
factor depending on the function /. This is the factor we gain in the size of the 
coefficients of P[> when compared to Pd- For the Weber function f above, we get 
class invariants for discriminants D = 1 mod 8 not divisible by 3, and the length of 
the coefficients is a factor 72 smaller for P' D than it is for Pd. For other discrimi- 
nants, such as the discriminants congruent to 5 mod 8 from the previous sections, 
similar but somewhat smaller factors may be gained by using double eta-quotients 

V(z/p)v(z/q)v(z)~ 1 v(z/pq)~ 1 as in [9]. 

The 'reduction factor' that is obtained when using a modular function / instead 
of j depends on the degree of the irreducible polynomial relation ^(j, f) = that 
exists between j and /. In terms of the polynomial f) G C[X], we define the 
reduction factor of our modular function / as 
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By [13, Proposition B.3.5], this is, asymptotically, the inverse of the factor 

lim MM. 
h(j(T))-oo h(j(r)) 

Here h is the absolute logarithmic height, and we take the limit over all CM-points 
SL 2 (Z) ■ r G H, ordered by the absolute value of the discriminant of the associated 
CM-order. The reduction factor 72 obtained for the Weber function above is close 
to optimal in view of the following theorem. 

4.1. Theorem. The reduction factor of a modular function f satisfies 

r(f) < 800/7 « 114.28. 
If Selberg's eigenvalue conjecture in [21] holds, then we have 

r(f) < 96. 

Proof. Let / be modular of level N > 1, and T(f) C SL 2 (Z) the stabilizer of 
/ inside SL2(Z). Then T(f) contains the principal congruence subgroup T(N) of 
level AT, and the inclusions T(N) ■ {±1} C r(/) C SL 2 (Z) correspond to coverings 

X(N) — > X(f) -L> P^ 

of modular curves. Here X(N) is the full modular curve X(N) of level N, which 
maps to the j-line P^-, under j. This map factors via the intermediate modular 
curve X(f), which has function field C(j,f). The Galois theory for the function 
fields shows that the degree of the map j : X(f) — > is equal to 

[SL 2 (Z) : r(/)] = [C(j, /) : C(j)} = de g/ (*(/, j)). 

We now consider the gonality r y(X(f)) of the modular curve X(f), i.e., the minimal 
degree of a non-constant morphism ir : X(f) — > Pj-,. Abramovich [1] proved in 1996 
that the gonality of any modular curve Xh corresponding to some congruence 
subgroup H C SL 2 (Z) is bounded from below by c- [SL 2 (Z) : H] for some universal 
constant c > 0. His proof yields the value c = 7/800, and under assumption of 
Selberg's eigenvalue conjecture [21] the constant c can be taken equal to 1/96. 
For our curve X(f), the rational map / : X(f) — > Pj-. has degree 

[C(j\/):C(/)] = de gj (*(/,j)), 

and this degree is at least r y(X(f)). We can now use Abramovich's lower bound to 
obtain 

m deg f WJ)) < [SL 2 (Z) : r(/)] 1 

The proven value c = 7/800 and its conditional improvement c = 1/96 yield the 
two statements of our theorem. □ 



We do not know whether the value 96 is attained for some function /. The factor 
72 of Weber's function is the best we know. 
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5. Numerical examples 
We illustrate Algorithm 2.2 by constructing an elliptic curve having exactly 

N = 123456789012345678901234567890123456789012345678901234568197 

points. The integer N pa 10 60 is prime, and the discrete logarithm problem is 
believed to be hard for such a curve. 

We have logiV pa 136 and there are 15 odd primes p < 136 with (^) = 1. We 
compute and store ^Jp* mod N for these primes, and we try to find a discriminant 
D = 5 mod 8 built from primes out of this 'basis' such that N splits as N = aa in 
the order O d and such that iV + 1 ± Trace(a) is prime. For D = -41 • 59 = -2419 
we find a solution 

x = 531376585512740287835890668303 
y =9349802208089011828618119329 

to the norm equation x 2 — Dy 2 = AN for which p = N + l + xis prime. 

The class group Pic(Od) is cyclic of order 8. The Hilbert class polynomial Pd 
has degree 8, and coefficients of up to 119 decimal digits. It splits completely modulo 

p= 123456789012345678901234567890654833374525085966737125236501, 

and any of its zeroes is the j-invariant of a curve having N points. With a = 
112507913528623610837613885503682230698868883572599681384335 G F p , the el- 
liptic curve E a given by 

Y 2 = X s + aX - a 

has N points, as may be checked by computing N ■ (1, 1) = G E a (F p ). 

We can speed up the algorithm by computing a 'smaller' polynomial than the 
Hilbert class polynomial. We are in the case where 3 does not divide D = —2419, 
and here the cube root 72 of the j-function can be shown to yield class invariants. 
The polynomial -PZ2419 £ Z[X] has coefficients up to 40 ~ 119/3 decimal digits. 
For a root x G F p of -PZ2419 £ F p [X], the cube x 3 G F p is the j-invariant of a curve 
with iV points. 

The value of the double ry-quotient / = ^'ffiffi^f at z = ~ 21+ ^~ 2419 gen- 
erates the Hilbert class field if_ 2 4i9- The minimal polynomial * of / over C(j) 
can be computed as in [10]. It has degree 4 in j and degree 84 in X, and we have 
r(f) = 84/4 = 21. Indeed, the polynomial 

p/ 2419 = X 8 +87X 7 +14637X 6 -3810X 5 +39662X 4 +42026X 3 +12593X 2 -221X+1 

has coefficients of no more than 119/21 < 6 digits, and its roots generate -ff-2419 
over Q(V — 2419). This polynomial splits completely modulo p. Let a G F p be a 
root. The polynomial ^(a,X) G F P LY] has degree 4, and one of its roots in F p is 
the j-invariant of a curve with iV points. 
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If we are only interested in an elliptic curve whose group order is a prime of 60 
decimal digits, we can also use the naive algorithm of trying random curves over a 
field F p with p m 10 60 . For p = 10 60 + 7 = nextprime(10 60 ), the smallest positive 
integer j such that j mod p is the j-invariant of a curve of prime order is j = 180. 

Alternatively, we can use Algorithm 3.1 to construct an elliptic curve with CM 
by Z[( 3 ] that has prime order of the desired size. In Step 2 we consider consecutive 
primes p = 10 60 + 99, . . . congruent to 1 mod 3. The fourth prime, p = 10 60 + 1059, 
yields the prime value 

q = 999999999999999999999999999998130705774503095542609960125197, 

and the elliptic curve defined by Y 2 = X s + 537824 has q rational points over F p . 

There is some concern that elliptic curves with 'small' endomorphism ring might be 
less secure for cryptographic purposes. It is recommended that the class number of 
the endomorphism ring should be at least 200. This is no problem for our algorithms. 
Indeed, we can stop in Step 3b in Algorithm 2.2 only if the class number h(D) = 
deg-Po of the discriminant D obtained is large enough. In our example, the next 
higher values after D = —2419 for which we also find solutions to x 2 — Dy 2 = AN 
with N + l±x prime are D = -21003 = -3 • 7001, D = -517147 = -587 • 881 and 
D = -590971 = -17 • 34763. The class group of the order of discriminant -590971 
is cyclic of order 228 > 200. 

The primes N needed for cryptography are rather 'small' as input for the two 
Algorithms in Section 2. There is no problem in feeding N = nextprime(10 2006 ) = 
10 2006 + 2247 to Algorithm 2.2. It yields the prime discriminant D = —15907 of 
class number 15. The corresponding class polynomial Pd has coefficients of up to 
273 digits, and the desired elliptic curve is readily found. We do not print it here, as 
it has coefficients modulo a prime of 2006 digits that are not particularly pleasing 
to the human eye. 
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